Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

I have checked my props.conf and transforms.conf files after configuring all of this and there are entires in there. I also made sure the permissions on these were all Everyone can Read, Admin can write for only the search app which is where this is located.

When I do a search for sourcetype=EPPWEB, I get the following error:

[log1.blahblahblah.info] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::EPPWEB' and lookup table 'WAT_Lookups'
[log2.blahblahblah.info] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::EPPWEB' and lookup table 'WAT_Lookups'

I just can't seem to get it to work.

Basically the end result is, for example, a filename called Invoice.pdf to be otherwise known as "Billing Invoice".

NOTE: I already have "filename" as a field extracted through props.conf. So under the field filename you have some files listed like text.text, Invoice.pdf, etc. I'm not sure if this in doing anything w/ the lookup.

I assume 'filename' is a field that exists for your sourcetype. Does the description field appear if you do this search? Assuming that WAT_Lookups is the name of the look up in Manager » Lookups » Lookup definitions.

sourcetype='EPPWEB' | lookup WAT_Lookups filename

If this works then there is something wrong with your automatic look up. Just seems to be a configuration issue here somewhere. Splunk shouldn't do anything to the file so it must have gotten put in there by your editor.

It searches and brings back results but there is no "description" field with the names i specified. And the lookup definition was called WAT_Lookups. I'm not sure if "where" my field extraction is located is the problem? My field extraction for "filename" is located in /opt/splunk/etc/system/local. This lookup is in /opt/splunk/etc/apps/search/local.

If you can see filename show up then it's not a problem. I would suggest recreating the steps to create the lookup and delete the old ones. Do it as a manual and try it from the search and then make it automatic.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.